Building the New Channel Security Achitecture for the Next Decade

November 28, 2012
Building the New Channel Security Achitecture for the Next Decade

Using IBM’s Access Management solution with SecurIT’s Versatile Authentication Server, allows ING to offer easy re-use of security services for different use cases, to accommodate different methods over time, and to balance risk/cost while meeting the needs of different user communities.

ING decided to revisit its web banking platform, which now serves 1.5 million users. ING used the opportunity to build a new security infrastructure, providing strong Authentication, Transaction Signing and Single Sign-On to new and existing applications. The complementary solution using IBM Tivoli Access Manager and SecurIT TrustBuilder meets current requirements while offering the flexibility to easily adapt to future requirements.

ING Belgium

Established through an acquisition in 1998, ING Belgium SA/NV is a banking chain based in Brussels. Through online and telephone channels and nearly 800 branch locations, the bank provides a wide range of financial services to individuals, institutions and small and large enterprises. Its services include retail and private banking, corporate and institutional banking, financial planning, investment banking, asset management and life and nonlife insurance. ING Belgium is a subsidiary of global financial entity ING Group NV. It reported EUR1.2 billion in revenue in 2009.

Objectives and drivers

As the initial objective, ING wanted to introduce a new authentication method to replace the old mechanism in use for over a decade. They desired to move to a non-connected card reader in combination with the bankcard (smartcard) based on the CAP-EMV standard. The second objective was to create a New Channel Security Infrastructure (NCS), with the objective to externalize all the authentication from the applications, and to carve out the transaction signing and validation functions from the existing applications.


Additional objectives came from various drivers:
Align with regulatory demands
  • CAP-EMV compliance using an Unconnected Card
Reader (UCR)
Business requirements
  • SSO for customers within retail & wholesale segments
  • Support crossing of customer segments
  • Support external hosted applications (outside the ING data center)
  • Support employees – branch of the future
  • Support newer paradigms: federation, mobile, etc …
  • When possible, buy versus build
  • Improve security
  • Leave the Unisys legacy platform
  • Leverage infrastructure, align on Tivoli products

ING decided that their goals were best achieved by the combination of IBM Tivoli Access Manager and SecurIT TrustBuilder. By combining TAMeb with TrustBuilder, they met the objectives identified above, and a real competitive advantage was realized.

The Project

IBM Premier Business Partner SecurIT BVBA helped ING Belgium implement an integrated solution combining the business partner’s TrustBuilder software with IBM Tivoli Access Manager for e-business (TAMeB) and IBM Tivoli Federated Identity Manager (TFIM) software. Utilizing this solution, ING can now:
  • Provide single sign on to both internal and externally hosted banking applications, for retail and wholesale customers and customers who do business in both segments
  • Support new-authentication and transaction-signing mechanisms compliant with the Europay, MasterCard and Visa and Chip Authentication Program standards, as well as newer paradigms for federation, mobile technologies and more
  • Continue leveraging an existing Unisys system for user management
  • Easily integrate future branches. At the business level, the solution represents a seamless user experience with a consistent look and feel across all services and channels. All authorized employees can access the same customer data in real time, regardless of which channel the data came from. And customers can now access all of their account data and all available services after providing their personal data only once.

As a second step, ING decided to remove all the session access control from its application, and hand-it over to the TAMeB component, which now uniquely controls the processes of session control. ING also offload authentication matters to SecurIT TrustBuilder. Special TrustBuilder connectors have been used, in conjunction with TFIM, to leave the central client repository on the MainFrame, therefore achieving an efficient reuse of the existing client repository infrastructure. The ING architecture is now ready to easily integrate other web applications accessible from the Internet in future phases.

Benefits for the Customer

ING Belgium simplified and strengthened the authentication mechanisms for its internal and externally hosted banking applications. As a result, the client has reduced:

  • The time and cost of changing an authentication mechanism by at least 50 percent
  • Development time by 10 to 20 percent by reusing validation features with multiple applications
These reductions translate into valuable business-level improvements: ING Belgium can deploy application updates and enhancements quicker and it can maintain a higher overall level of customer service.
Access management